我有以下登录脚本,我认为它是安全的。但是,有人不断访问网站的管理部分并更改内容。
if(isset($_POST['submit'])) {
$error = false;
$user_login = stripslashes(strip_tags(htmlentities($_POST['user_login'])));
$pass_login = stripslashes(strip_tags(htmlentities($_POST['pass_login'])));
if(!empty($user_login) && !empty($pass_login)) {
$check_details=mysql_query("SELECT * FROM `admin` WHERE email='".$user_login."' AND password='".md5($pass_login)."'");
$status=mysql_num_rows($check_details);
if($status >= "1") {
$error = false;
$_SESSION['wmmadmin_loggedin'] = "1";
$_SESSION['wmmadmin_email'] = "".$user_login."";
header("Location: ./index.php");
}
if(!$status || $status == "0") {
$error = true;
echo "<div id=\"error\"><strong>Error!</strong><br />Login details were incorrect.</div>\n";
}
}
if(empty($user_login) || empty($pass_login)) {
$error = true;
echo "<div id=\"error\"><strong>Error!</strong><br />Enter your username and password.</div>\n";
}
}
在每个脚本的顶部都有一个函数调用:
function checkloggedin() {
if($_SESSION['wmmadmin_loggedin'] == "0" || $_SESSION['wmmadmin_loggedin'] !== "1" || $_SESSION['wmmadmin_email'] == "") {
header("Location: login.php");
exit;
}
}
我错过了什么吗?我需要阻止这些黑客!
谢谢皮特